Learn how to set up your organization’s view rights. Make sure you check out the types of view rights to gain a better understanding of the different options available.
Where can I set view rights?
Within the app you can set view rights at the following levels:
- Team membership
- Team
- User
- Role
- Organization defaults
How are the view rights structured?
As with many permission structures, view rights use a waterfall system that inherits from the permission settings above it. You can override these settings at each level for full control.
To determine view rights for a user, for both scope and depth, Flow starts at the bottom of the waterfall and works its way up until it finds the first explicitly set view right. If a view right is set to Inherit at any point, Flow looks at the next step up in the waterfall to check for an explicitly set view right.
From the bottom to the top of the waterfall in order, Flow looks at view rights for team membership, team, user, role, organization, and system.
There are two components of view rights: scope and depth. One or both of these components is set at each level in the waterfall. Not all levels have both components, but both components are checked when determining a user’s view rights. Learn more about the types of view rights.
Note: Even if a user has a more permissive view right set at a higher level of the waterfall, if there is a less permissive view right explicitly set lower in the waterfall, that less permissive view right overrides the more permissive view right.
To determine what you’re able to view, Flow checks view rights in this order:
-
Team membership: At this level, set depth only. This determines what view rights specific members of the team have when viewing team data. Also select whether a team member is a contributor or viewer for the team. Manage this from the Users tab of the team details page.
-
Team: At this level, set depth only. This determines what view rights team members in general have when viewing data for the team. Manage this from the View rights tab of the team details page.
-
User: At this level, set both scope and depth. This determines what view rights a user has when viewing teams and viewing other users’ data. Manage this from the View rights tab of the user details page.
-
Role: At this level, set both scope and depth for each role. Flow gives the user the most permissive view rights across all assigned roles to a user. When finding the most permissive view rights, Flow only looks at explicitly set view rights. If a view right for a role is set to Inherit, it is not included in the list of explicitly set permissions. This determines what view rights users assigned to the roles have when viewing teams and viewing other users’ data. Manage this on the Roles page. Learn more about setting up roles.
Important: Advanced view rights must be enabled at the organization level. Toggle on Enable advanced view rights at the organization level to have the option to configure view rights at the org level. We recommend only enabling this if you use Flow with an SSO/SAML integration.
-
Organization: At this level, set both scope and depth. This determines what view rights all users in the organization have when viewing teams and viewing other users’ data. Manage this by clicking Set default view rights on the Roles page.
-
System: If no view rights are set at any level previously mentioned, Flow sets a default scope and depth for all plans. This default gives users access to see all teams’ data and to see individual users’ metrics. This is not configurable in Flow.
Contributor vs Viewer
By default, anyone you add to a team is a Contributor. This means their data is included in Flow reports and metrics when viewing that team's data.
If you want to grant someone visibility to a team’s data, but do not want their data included when viewing team-level reports or metrics, change their membership to Viewer.
Note: If you view data for multiple teams in a Flow report, if a user is listed as a Contributor on any of those teams, their data is included in the reports, even if they are a Viewer on one or more of the teams. If you view data for a system team, like Users on teams, data for all users that meet the criteria is included, regardless of if they’re Viewers or not for any teams they’re members of.
Viewing across multiple teams
Anyone with permissions to view multiple teams will inherit the rules their user, role, or organization provides them with. If you want to change their level of visibility for a specific team that they are part of, set this at the team level.
As an example, if you want to see your fellow manager's team-level statistics, but don't want to see the individual contributors' metrics, grant managers the ability to see either All Teams or Their Own Teams, but not the ability to see individual contributors' metrics. Then, for teams you are directly responsible for, increase your permissions so that you can see individual contributors' metrics.
A word of caution
If you decide to manually change permissions other than the organization defaults, proceed with caution. Combining overrides in roles, user, and team view rights is complex and difficult to track manually. We recommend managing it with SSO/SAML if possible.
Consider creating a test user first and experiment with the view rights so you understand the permissions changes you are making before applying them to your users.